Hi, I saw that MT offers with BTH-VPN an option to get it work through NAT-devices. I assume the LAN-side device will connect to MTs-realy-server and the WAN-side (phone…) connects also to MT and they (somehow) connect both ends. In my understanding this is a classic “hole punching” technique (like TeamViewer, Anydesk… use it too).
My question, I have a highly customized setup (firewall rules, chains, mangling, multiple routing-tables…), but I’d like to use the “Relay”-part of BTH without all the other suff (like predefined rules and all these things, which are easy for normal users, but they could break my things).
Is it possible to use it that way? Can I say Wireguard (LAN-side) should connect initially always to MT and keep this connection. When I later connect from the WAN to MT, they relay it to my (already connected) Wireguard-peer in the LAN?
If you want BTH for potential proxy support, you get the firewall rules too. There is no option to disable that logic. And stuck that all BTH instances will use the 192.168.216.0/24 subnet.
But... the dynamic rules just allow the WG port, do NAT on the BTH subnet, and potentially enforce the allow-lan=no via an address list. None of that should interfere with existing configuration, since all rules target either the BTH WG interface or BTH subnet.
And you can add your own restriction beyond them in other firewall rules (i.e. use allow-lan=yes in BTH, but then in your own configuration block whatever you want.)
And the chain=input that allows the WG port for BTH be exactly the same if you did your self. Perhaps 95% of cases, you'd also want the same NAT masquerade rule for the WG IP subnet, which also comes first and applies only to BTH interface. I get the apprehension, but the dynamic rules are pretty well thought out.
Side note here, with the surprising RN in 7.21:
Recovery when switching between the primary internet (DSL with public IP here), and CGNAT-ed LTE backup should be quicker.